Custom applications: organizations that invested heavily in customized solutions may have (had) a legitimate cost analysis that kept them staying the course. Curious how the actual end of support changes those numbers.
Concerns or struggles over the costs: whether accepted or not, a lot of folks are unable or unwilling to spend money on new hardware, operating systems, and applications. It's a costly change. Chances are the impacts are less understood, too.
Exploring each of these (and other) reasons deeper reveals the real lesson about the assumptions made.
The hidden, single biggest lesson for security
Hidden in plain sight is the single biggest lesson for security:
We need to challenge our assumptions at the beginning of the process.
How long is reasonable to expect hardware and software - especially the underlying OS to be stable and supported? Y2K and the long goodbye to Windows XP is evidence that the timeline for these expectations is short, and getting shorter.
When coming across reasons to keep Windows XP - even now - we have to question why? Instead of shaking our heads in a knowing way, informed by over a decade of experience, it's an opportunity to engage in conversation.
It'll likely be uncomfortable in some cases to probe the assumptions upon which the solutions were built and decisions made. Take the opportunity to learn first, then find the right solution forward.
Want better security? Practice asking this one question
As we reflect on the lessons and experiences afforded by the long run of Windows XP, it reveals a simple question that allows us to improve security:
And what if our assumption(s) are wrong?
The key is to simply ask and guide the discussion across three dimensions:
Question and document the assumptions about how long each of these elements tends to last. Then ask how long it needs to last in order for the project/solution/decision to make sense.
Then follow up, again, by simply asking, "and what if our assumptions are wrong?"
Thinking about assumptions and outcomes earlier in the process is a simple and effective way to improve security today and in the future.
Sign up for CIO Asia eNewsletters.